Log processing device and log processing method

ABSTRACT

A log processing device and a log processing method thereof are provided. The log processing device divides the original log data into a plurality of block data, transforms a numeric variable of each of the block data into a representative code, and determines whether to perform a combination process for continuous block data to generate a plurality of combinational block data according to a data integrity of each of the block data. The log processing data takes the combinational block data as a log template, and each of the combinational block data corresponds to an event.

CROSS-REFERENCE TO RELATED APPLICATION

This application claims priority to Taiwan Application Ser. No.109136181, filed Oct. 19, 2020, which is herein incorporated byreference in its entirety.

BACKGROUND Field of Invention

The present disclosure relates to a log processing device and logprocessing method thereof. More particularly, the log processing deviceof the present disclosure replaces variables of original log data tocompress the amount of data, provides corresponding combination rule,separates events, and generates log templates.

Description of Related Art

Most of the existing log parsing method use specific symbols (e.g., *)and characters (e.g., DATE, TIME, NUM, IPADDR, PORT, etc.) to replacevariables, and then perform data decrement and data compression througha series of preset parsing rules to generate log templates.

However, in the process of converting the original log data to the logtemplate and the event template, not all the preset parsing rules areused. Besides, the application sequence of the preset parsing rules willbe different due to the arrangement of the content of the original logdata. Even if the content are similar, the original log data withdifferent expressions still need its corresponding parsing rules and theapplication sequence of the parsing rules, and the events whichtriggered the original log data cannot be extracted in the process ofparsing the original log data, and the variable change in the originallog data cannot be explored and analyzed in the process of parsing theoriginal log data.

Accordingly, an urgent need exists in the art to provide a log dataparsing mechanism which can parse various original log data according tothe same parsing rule and extract events which triggered the originallog data during the parsing process.

SUMMARY

An objective of the present invention is to provide a log data parsingmechanism which replaces a variables with a representative codeaccording to a data attribute of multiple block data of an original logdata, combines incomplete continuous block data, and generates a logtemplate based on the events corresponding to each of the combined blockdata and each of the uncombined block data. Accordingly, the log dataparsing mechanism of the present disclosure can extract events whichtriggered the events of the original log data during the parsing processand analyze the variable change in the original log data.

To achieve the aforesaid objective, the present invention discloses alog processing device which comprises a memory and a processor. Thememory is configured to store an original log data. The processor iselectrically connected to the memory, and is configured to perform thefollowing operations: dividing the original log data into a plurality ofblock data according to a first rule; transforming a numeric variable ofeach of the block data into a representative code according to a dataattribute of each of the block data; determining whether to perform acombination process on the continuous block data to generate a pluralityof combinational block data according to a data integrity of each of theblock data; and generating a log template corresponding to the originallog data, the log template comprising the combinational log data. Eachof the combinational block data corresponds to an event.

Moreover, the present invention further discloses log processing methodfor a log processing device. The log processing device comprises amemory and a processor. The memory storing an original log data. The logprocessing method is executed by the processor and comprises thefollowing steps: dividing the original log data into a plurality ofblock data according to a first rule; transforming a numeric variable ofeach of the block data into a representative code according to a dataattribute of each of the block data; determining whether to perform acombination process for the continuous block data to generate aplurality of combinational block data according to a data integrity ofeach of the block data; and generating a log template corresponding tothe original log data, the log template comprising the combinationalblock data. Each of the combinational block data corresponds to anevent.

It is to be understood that both the foregoing general description andthe following detailed description are by examples, and are intended toprovide further explanation of the invention as claimed.

BRIEF DESCRIPTION OF THE DRAWINGS

The invention can be more fully understood by reading the followingdetailed description of the embodiment, with reference made to theaccompanying drawings as follows:

FIG. 1 is a schematic view of a log processing device according to thepresent disclosure;

FIG. 2 depicts an implementation scenario of dealing with an originallog data by the log processing device according to the presentdisclosure;

FIG. 3 depicts an implementation scenario of dealing with an originallog data by the log processing device according to the presentdisclosure;

FIG. 4 depicts an implementation scenario of dealing with an originallog data by the log processing device according to the presentdisclosure;

FIG. 5 depicts an implementation scenario of dealing with an originallog data by the log processing device according to the presentdisclosure;

FIG. 6 is a schematic view of a log processing device according to thepresent disclosure;

FIG. 7 is a schematic view of a log database according to the presentdisclosure;

FIG. 8 depicts an implementation scenario of querying a log templateaccording to the present disclosure;

FIG. 9 is a schematic view of a log processing device according to thepresent disclosure;

FIG. 10 is a schematic view of an event database according to thepresent disclosure;

FIG. 11 depicts an implementation scenario of querying an event and alog template according to the present disclosure;

FIG. 12 is a schematic view of a log processing device according to thepresent disclosure;

FIG. 13 is a schematic view of a variable database according to thepresent disclosure; and

FIG. 14 is flowchart diagram of a log processing method according to thepresent disclosure.

DETAILED DESCRIPTION

Reference will now be made in detail to the present embodiments of theinvention, examples of which are illustrated in the accompanyingdrawings. Wherever possible, the same reference numbers are used in thedrawings and the description to refer to the same or like parts.

A first embodiment of the present invention is as shown in FIG. 1 toFIG. 5. FIG. 1 is a schematic view of a log processing device accordingto the present disclosure. The log processing device 1 includes a memory11 and a processor 13. The processor 13 is electrically connected to thememory 11. The memory 11 stores an original log data OLD which recordsfiles that occur in an operating system or other running software.

The processor 13 divides the original log data OLD into a plurality ofblock data according to a first rule. Specifically, the original logdata is consisted of a plurality of strings, and each of the strings isseparated by a blank. The processor 13 takes the blank between each ofthe strings as the first rule to divide the original log data OLD intothe combinational block data.

The processor 13 transforms a numeric variable of each of the block datainto a representative code according to a data attribute of each of theblock data to display the block data in normalization. The dataattribute of the block data is the meaning represented by the string ineach of the block data. The data attribute may be time, information,program, database, message, a period, etc., but is not limited thereto.The representative code is a quantitative text that represents themeaning of the numeric variable in the block data.

When transforming the numeric variable, the processor 13 determineswhether the numeric variable is existed in the block data, anddetermines the data attribute of each of the block data. If the numericvariable exists in the block data, the processor 13 replaces the numericvariable with the representative code corresponding to the dataattribute so that the block data which includes the numeric variablewill be represented by quantitative text. Thus, the overall data volumeof the original log data OLD will be decreased.

Next, the processor 13 determines whether to perform a combinationprocess on the continuous block data to generate a plurality ofcombinational block data according to a data integrity of each of theblock data. To be more specific, the processor 13 determines, in order,a data integrity from the first block data of each of the block dataaccording to a second rule, and determines if the meaning of each of theblock data is clear according to the data integrity. In this embodiment,the second rule is a semantic analysis. However, in other embodiments,the second rule can also be quotation marks used to describe sentencesor brackets used to describe specific content. Those of ordinary skillin the art can understand the setting of the second rule based on thesubsequent description. The foregoing semantic analysis is only used forillustration and is not intended to limit the present disclosure.

When the data integrity of at least two of the continuous block data areless than a threshold, the processor 13 combines the at least two of thecontinuous block data. When the data integrity of one of the at leasttwo of the continuous block data is less than the threshold, and thedata integrity of the other one of the at least two of the continuousblock data is greater than the threshold, the processor 13 does notcombine the at least two of the continuous block data. Briefly speaking,the combinational block data includes single block data with completemeaning and multiple combined continuous block data with incompletemeaning. In other words, the discontinuous block data with incompletemeaning cannot be combined.

Finally, the processor 13 uses the combinational block data as a logtemplate corresponding to the original log data OLD, and each of thecombinational block data corresponds to an event.

For example, reference is made to FIG. 2, which depicts animplementation scenario of dealing with an original log data by the logprocessing device according to the present disclosure. The logprocessing device 1 divides the original log data OLD1 into 9 block datablk-1-blk-9 according to the blank between each of the strings, anddetermines whether each of the block data includes a numeric variable.

When the processor 13 of the log processing device 1 determines that theblock data blk-1 includes the numeric variable “586574001963154558”, theprocessor 13 further determines that the data attribute of thestring“586574001963154558” is log system time, and replace the numericvariable “586574001963154558” with the representative code “EPOCH”corresponding to the log system time, as the block data rblk-1 shown inFIG. 2.

Next, the processor 13 determines that there is no numeric variable inthe string “level=info” of the block data blk-2, and does not change thecontent of the block data blk-2, so the processor 13 directly treats thestring “level=info” as normalized block data rblk-2.

When the processor 13 determines that the string“ts=2020-04-11T03:00:01.962Z” in the block data blk-3 includes numericvariable, it further determines that the data attribute of the string inthe block data blk-3 is an application program time. Therefore, the logprocessing device 1 replaces the numeric variables in the string withthe representative codes corresponding to the year, month, day, hour,minute, and second in the application program time. The numericvariables are replaced and displayed in normalized expressions as theblock data rblk-3 “ts=YYYY-MM-DDTHH:MM:SS.SSSZ”.

When the processor 13 determines that the string “caller=head.go:668” inthe block data blk-4 has a numeric variable, it further determines thatthe data attribute of the string in the block data blk-4 is a triggerprogram. Since the data attribute of the trigger program in the blockdata blk-4 is not simply represented by the variable “668”, theprocessor 13 replaces the numeric variable in the string with therepresentative code corresponding to the general number. The numericvariable is replaced with the block data rblk-4 displayed by thenormalization expression is “caller=head.go:NUM”.

The processor 13 sequentially determines that the string“component=tsdb” of the block data blk-5, the string “msg=“head” of theblock data blk-6, the string “GC” the block data blk-7 and the string“completed” of the block data blk-8 does not include any numericvariable, the string of the block data blk-5˜blk-8 will not be changed,so the string “component=tsdb”, “msg=“head”, “GC”, and “completed” areregarded as normalized block data rblk-4˜rblk-8.

At last, the processor 13 determines that the string “duration=46.714385ms” of the block data blk-9 includes numeric variable, it furtherdetermines that the data attribute of the string “duration=46.714385 ms”of the block data blk-9 is the execution time. Since the data attributeof the execution time in the block data blk-9 is not simply representedby the numeric variable “46.714385”, the log processing device 1replaces the numeric variable “46.714385” in the string with therepresentative code corresponding to the general number, and the numericvariable is replaced with the block data rblk-9 displayed withnormalized expression “duration=NUM.NUMms”.

After the numeric variable of the block data blk-1˜blk-9 are replacedwith corresponding representative codes, the log processing device 1starts the combination process. In detail, the combination process canbe regarded as one of the procedures in the process. When the processor13 executes the combination process, the processor 13 determines thedata integrity, based on semantic analysis, of each of the block datarblk-1˜rblk-9 starting from the first block data rblk-1 and sequentiallyto the ninth block data rblk-9 in order to confirm whether each of theblock data rblk-1˜rblk-9 has complete meaning.

For ease of description, in this embodiment, the threshold is assumed tobe 100%. If the block data has a complete meaning, it means that thedata integrity of the block data is equal to the threshold (i.e., thedata integrity is 100%). If the block data does not have a completemeaning or the meaning is unclear, it means the data integrity of theblock data is less than the threshold (i.e., the data integrity is lessthan 100% or the data integrity is equal to 0%).

It shall be appreciated that, in other embodiments, the threshold canalso be set to other values such as 90% or 80%. If the block data hascomplete meaning, or even if it is incomplete but the actual completemeaning can be inferred, it means that the data integrity is greaterthan or equal to the threshold 90%. If the block data does not havecomplete meaning and the actual meaning cannot be inferred or themeaning is unclear, it means that the data integrity is less than 90% ofthe threshold. However, those of ordinary skill in the art canunderstand that the threshold can be set by the user who would like toanalyze the log data according to the semantic level to be interpretedbased on the foregoing description. The foregoing value is only used forillustration and is not intended to limit the present disclosure.

The string “EPOCH” of the block data rblk-1 represents the log systemtime. The processor 13 determines that the block data rblk-1 has acomplete meaning which means the data integrity is equal to thethreshold 100%. The processor 13 generates the combinational block datacblk-1 “EPOCH” after executing the combination process on the block datarblk-1. The string “level=info” of the block data rblk-2 represents thelog level. The processor 13 determines that the block data rblk-2 has acomplete meaning which means the data integrity is equal to thethreshold 100%. The processor 13 generates the combinational block datacblk-2 “level=info” after executing the combination process on the blockdata rblk-2. The string “ts=YYYY-MM-DDTHH:MM:SS.SSSZ” of the block datarblk-3 represents the application program time. The processor 13determines that the block data rblk-3 has a complete meaning which meansthe data integrity is equal to the threshold 100%. The processor 13generates the combinational block data cblk-3“ts=YYYY-MM-DDTHH:MM:SS.SSSZ” after executing the combination process onthe block data rblk-3.

The string “caller=head.go:NUM” of the block data rblk-4 represents thetrigger program. The processor 13 determines that the block data rblk-4has a complete meaning which means the data integrity is equal to thethreshold 100%. The processor 13 generates the combinational block datacblk-4 “caller=head.go:NUM” after executing the combination process onthe block data rblk-4. The string “component=tsdb” of the block datarblk-5 represents the trigger element. The processor 13 determines thatthe block data rblk-5 has a complete meaning which means the dataintegrity is equal to the threshold 100%. The processor 13 generates thecombinational block data cblk-5 “component=tsdb” after executing thecombination process on the block data rblk-5.

The string “msg=“head” of the block data rblk-6 includes a quotationmark that will be used when describing sentences. Since the block datarblk-6 includes only one quotation mark, it implies that the meaning ofthe string in the block data rblk-6 is incomplete, and the processor 13determines that the data integrity of the block data rblk-6 is less thanthe threshold 100%. Regarding the string “GC” of the block data rblk-7,the processor 13 determines that the meaning of the string “GC” in theblock data rblk-7 is incomplete, and the data integrity is less than thethreshold 100%. When the processor 13 determines that the data integrityof the continuous block data rblk-6 and the block data rblk-7 are bothsmaller than the threshold, the combinational block data “msg=“head GC”is generated after executing the combination process on the block datarblk-6 and the block data rblk-7. Then, the processor 13 determineswhether the data integrity of the merged block data “msg=“head GC” isequal to the threshold.

Since the combinational block data includes only one quotation mark in“msg=“head GC”, it implies that the meaning of the string in the blockdata rblk-6 is incomplete, so the processor 13 determines that the dataintegrity is less than the threshold 100%. Therefore, the processor 13continues to determine the data integrity of the block data rblk-8.

The string “completed”” of the block data rblk-8 includes a quotationmark that will be used when describing sentences. Since the block datarblk-8 includes only one quotation mark, it implies that the meaning ofthe string in the block data rblk-8 is incomplete, and the processor 13determines that the data integrity of the block data rblk-8 is less thanthe threshold 100%. Then, the processor 13 executes the combinationprocess to combine the continuous block data rblk-6, block data rblk-7,and block data rblk-8 whose data integrity is less than the threshold100% and to generate the combinational block data cblk-6 “msg=“head GCcompleted””. The processor 13 determines that the combinational blockdata cblk-6“msg=“head GC completed”” is a trigger message which has acomplete meaning, and the data integrity is equal to the threshold 100%.

The string “duration=NUM.NUMms” of the block data rblk-9 represents theexecution time of “caller=head.go:668 component=tsdb msg=“head GCcompleted”” in the original log data OLD1. The processor 13 determinesthat the block data rblk-9 has a complete meaning which means the dataintegrity is equal to the threshold 100%. The processor 13 generates thecombinational block data cblk-4 “duration=NUM.NUMms” after executing thecombination process on the block data rblk-9.

After finishing the combination process procedure, the log processingdevice 1 uses the combinational block data cblk-1 to cblk-9 as a logtemplate L1 corresponding to the original log data OLD1. The logtemplate L1 includes event E1, event E2, event E3, event E4, event E5,event E6, and event E9. Event E1 corresponds to the combinational blockdata cblk-1. Event E2 corresponds to the combinational block datacblk-2. Event E3 corresponds to the combinational block data cblk-3.Event E4 corresponds to the combinational block data cblk-4. Event E5corresponds to the combinational block data cblk-5. Event E6 correspondsto the combinational block data cblk-6. Event E9 corresponds to thecombinational block data cblk-9. Briefly speaking, each of thecombinational block data corresponds to an event.

For another example, reference is made to FIG. 3 which depicts animplementation scenario of dealing with an original log data by the logprocessing device according to the present disclosure. The logprocessing device 1 divides the original log data OLD2 into 12 blockdata blk-10˜blk-21 according to the blank between each of the strings,and determines whether each of the block data includes a numericvariable.

When the processor 13 of the log processing device 1 determines that theblock data blk-10 includes the numeric variable “1586898127706657481”,the processor 13 further determines that the data attribute of thestring“1586898127706657481” represents log system time, and replace thenumeric variable “1586898127706657481” with the representative code“EPOCH” corresponding to the log system time, as the block data rblk-10shown in FIG. 3.

Next, the processor 13 determines that the block data blk-11 includesthe numeric variable “10414”, the processor 13 further determines thatthe data attribute of the string“10414” represents application programtime, and replaces the numeric variables in the string with therepresentative codes corresponding to the month and day in theapplication program time. The numeric variables are replaced anddisplayed in normalized expressions as the block data rblk-11 “IMMDD”.

The processor 13 determines that the block data blk-12 includes thenumeric variable “21:02:07.706586”, the processor 13 further determinesthat the data attribute of the string“21:02:07.706586” representsapplication program time, and replaces the numeric variables in thestring with the representative codes corresponding to the hour, minute,and second in the application program time. The numeric variables arereplaced and displayed in normalized expressions as the block datarblk-12 “HH:MM:SS.SSSSSS”.

The processor 13 determines that the block data blk-13 includes thenumeric variable “1”, the processor 13 further determines that the dataattribute of the string “1” represents number, and replaces the numericvariables with the representative codes corresponding to number. Thenumeric variable are replaced and displayed in normalized expressions asthe block data rblk-13 “NUM”.

The processor 13 determines that the block data blk-14 includes thenumeric variable “resource_quota_monitor.go:228,”, the processor 13further determines that the data attribute of thestring“resource_quota_monitor.go:228,” represents the trigger program.Since the data attribute of the trigger program in the block data blk-14is not only simply represented by the numeric variable “228”, theprocessor 13 replaces the numeric variable in the string with arepresentative code corresponding to a general number. The numericvariable are replaced and displayed in normalized expressions as theblock data rblk-14 “resource_quota_monitor.go:NUM,”.

The processor 13 sequentially determines that the string “QuotaMonitor”of the block data blk-15, the string “created” of the block data blk-16,the string “object” the block data blk-17, the string “count” of theblock data blk-18, the string “evaluator” of the block data blk-19, thestring “for” of the block data blk-20, and the string“alertmanagers.monitoring.coreos.com” of the block data blk-21 does notinclude any numeric variable, the string of the block data blk-15˜blk-21will not be changed, so the string “QuotaMonitor”, “created”, “object”,“count”, “evaluator”, “for”, and “alertmanagers.monitoring.coreos.com”are regarded as normalized block data rblk-15˜rblk-21.

After the numeric variable of the block data blk-10˜blk-21 are replacedwith corresponding representative codes, the processor 13 starts thecombination process. The processor 13 determines the data integrity ofeach of the block data rblk-10˜rblk-21 starting from the first blockdata rblk-10 sequentially to the block data rblk-21 in order to confirmwhether each of the block data rblk-10˜rblk-21 has complete meaning.

The string “EPOCH” of the block data rblk-10 represents the log systemtime. The processor 13 determines that the block data rblk-10 has acomplete meaning which means the data integrity is equal to thethreshold 100%. The processor 13 generates the combinational block datacblk-10 “EPOCH” after executing the combination process on the blockdata rblk-10. The string “IMMDD” of the block data rblk-11 representsthe application program time. The processor 13 determines that the blockdata rblk-11 has a complete meaning which means the data integrity isequal to the threshold 100%. The processor 13 generates thecombinational block data cblk-11 “IMMDD” after executing the combinationprocess on the block data rblk-11. The string “HH:MM:SS.SSSSSS” of theblock data rblk-12 represents the application program time. Theprocessor 13 determines that the block data rblk-12 has a completemeaning which means the data integrity is equal to the threshold 100%.

The processor 13 generates the combinational block data cblk-12“HH:MM:SS.SSSSSS” after executing the combination process on the blockdata rblk-12.

The string “NUM” of the block data rblk-13 represents the number. Theprocessor 13 determines that the block data rblk-13 has a completemeaning which means the data integrity is equal to the threshold 100%.The processor 13 generates the combinational block data cblk-13 “NUM”after executing the combination process on the block data rblk-13. Thestring “resource_quota_monitor.go:NUM,” of the block data rblk-14represents the trigger program. The processor 13 determines that theblock data rblk-14 has a complete meaning which means the data integrityis equal to the threshold 100%. The processor 13 generates thecombinational block data cblk-14 resource_quota_monitor.go:NUM,” afterexecuting the combination process on the block data rblk-14.

The processor 13 determines that the meaning of the string“QuotaMonitor” of the block data rblk-15 is incomplete, and determinesthe data integrity of the block data rblk-15 is less than the threshold100%. Then, the processor 13 determines that the meaning of the string“created” of the block data rblk-16 is incomplete, and determines thedata integrity of the block data rblk-16 is less than the threshold100%. Since the data integrity of the continuous block data rblk-15 andrblk-16 are less than the threshold (i.e., incomplete), the processor 13executes the combination process on the block data rblk-15 and rblk-16,generates the combinational block data “QuotaMonitor created”, anddetermines whether the data integrity of the combinational block data“QuotaMonitor created” is equal to the threshold.

The meaning of the string “QuotaMonitor created” of the combinationalblock data is still incomplete, so the processor 13 continues todetermine the data integrity of the block data rblk-17. The processor 13determines that the meaning of the string “object” of the block datarblk-17 is incomplete, and determines the data integrity of the blockdata rblk-17 is less than the threshold 100%. Under the circumstance,the processor 13 executes the combination process on the combinationalblock data “QuotaMonitor created” and the string “object” of the blockdata rblk-17, generates the combinational block data “QuotaMonitorcreated object”, and determines whether the data integrity of thecombinational block data “QuotaMonitor created object” is equal to thethreshold.

However, the meaning of the string “QuotaMonitor created object” of thecombinational block data is still incomplete which means the dataintegrity of the combinational block data “QuotaMonitor created object”is less than the threshold, so the processor 13 continues to determinethe data integrity of the block data rblk-18.

The processor 13 determines that the meaning of the string “count” ofthe block data rblk-18 is incomplete, and determines the data integrityof the block data rblk-18 is less than the threshold 100%. Similar tothe aforesaid processing, under the circumstances that the dataintegrity of the combinational block data “QuotaMonitor created object”and rblk-18 are less than the threshold (i.e., incomplete), theprocessor 13 executes the combination process on the combinational blockdata “QuotaMonitor created object” and the string “count” of the blockdata rblk-18, generates the combinational block data “QuotaMonitorcreated object count”, and determines whether the data integrity of thecombinational block data “QuotaMonitor created object count” is equal tothe threshold.

However, the meaning of the string “QuotaMonitor created object count”of the combinational block data is still incomplete which means the dataintegrity of the combinational block data “QuotaMonitor created objectcount” is less than the threshold 100%, so the processor 13 continues todetermine the data integrity of the block data rblk-19.

The processor 13 determines that the meaning of the string “evaluator”of the block data rblk-19 is incomplete, and determines the dataintegrity of the block data rblk-19 is less than the threshold 100%.Therefore, the processor 13 executes the combination process on thecombinational block data “QuotaMonitor created object count” and thestring “evaluator” of the block data rblk-19, generates thecombinational block data “QuotaMonitor created object count evaluator”,and determines whether the data integrity of the combinational blockdata “QuotaMonitor created object count evaluator” is equal to thethreshold.

The processor 13 determines that the meaning of the string “QuotaMonitorcreated object count evaluator” of the combinational block data is stillincomplete which means the data integrity of the combinational blockdata “QuotaMonitor created object count evaluator” is less than thethreshold 100%, so the processor 13 continues to determine the dataintegrity of the block data rblk-20.

The processor 13 determines that the meaning of the string “for” of theblock data rblk-20 is incomplete, and determines the data integrity ofthe block data rblk-20 is less than the threshold 100%. Therefore, theprocessor 13 executes the combination process on the combinational blockdata “QuotaMonitor created object count evaluator” and the string “for”of the block data rblk-20, generates the combinational block data“QuotaMonitor created object count evaluator”, and determines whetherthe data integrity of the combinational block data “QuotaMonitor createdobject count evaluator for” is equal to the threshold.

The processor 13 determines that the meaning of the string “QuotaMonitorcreated object count evaluator for” of the combinational block data isstill incomplete which means the data integrity of the combinationalblock data “QuotaMonitor created object count evaluator for” is lessthan the threshold 100%, so the processor 13 continues to determine thedata integrity of the block data rblk-21.

The processor 13 determines that the meaning of the string“alertmanagers.monitoring.coreos.com” of the block data rblk-21 isincomplete, and determines the data integrity of the block data rblk-21is less than the threshold 100%. Under the circumstance, the processor13 executes the combination process on the combinational block data“QuotaMonitor created object count evaluator for” and the string“alertmanagers.monitoring.coreos.com” of the block data rblk-21,generates the combinational block data “QuotaMonitor created objectcount evaluator for alertmanagers.monitoring.coreos.com”, and determinesthat the combinational block data “QuotaMonitor created object countevaluator for alertmanagers. monitoring.coreos.com” represents triggermessage. Therefore, the processor 13 obtains the string “QuotaMonitorcreated object count evaluator for alertmanagers.monitoring.coreos.com”by combining the strings of the block data rblk-15, rblk-16, rblk-17,rblk-18, rblk-19, rblk-20, and rblk-21, and takes the string“QuotaMonitor created object count evaluator for alertmanagers.monitoring.coreos.com” as the combinational block data cblk-15, as shownin FIG. 3.

After finishing the combination process procedure, the log processingdevice 1 uses the combinational block data cblk-10 to cblk-21 as a logtemplate L2 corresponding to the original log data OLD2. The logtemplate L1 includes event E10, event E11, event E12, event E13, eventE14, and event E15. Event E10 corresponds to the combinational blockdata cblk-10. Event E11 corresponds to the combinational block datacblk-11. Event E12 corresponds to the combinational block data cblk-12.Event E13 corresponds to the combinational block data cblk-13. Event E14corresponds to the combinational block data cblk-14. Event E15corresponds to the combinational block data cblk-15.

For another example, reference is made to FIG. 4 and FIG. 5 which depictan implementation scenario of dealing with an original log data by thelog processing device according to the present disclosure. The processor13 of the log processing device 1 divides the original log data OLD3into 17 block data blk-22˜blk-38 according to the blank between each ofthe strings, and determines whether each of the block data includes anumeric variable.

When the processor 13 determines that the block data blk-22 includes thenumeric variable “1586574010733936849”, the processor 13 furtherdetermines that the data attribute of the string“1586574010733936849”represents log system time, and replace the numeric variable“1586574010733936849” with the representative code “EPOCH” correspondingto the log system time, as the block data rblk-22 shown in FIG. 4.

Next, the processor 13 determines that the block data blk-23 includesthe numeric variable “10411”, the processor 13 further determines thatthe data attribute of the string“10411” represents application programtime, and replaces the numeric variables in the string with therepresentative codes corresponding to the month and day in theapplication program time. The numeric variables are replaced anddisplayed in normalized expressions as the block data rblk-23 “IMMDD”.

The processor 13 determines that the block data blk-24 includes thenumeric variable “03:00:10.733881”, the processor 13 further determinesthat the data attribute of the string“03:00:10.733881” representsapplication program time, and replaces the numeric variables in thestring with the representative codes corresponding to the hour, minute,and second in the application program time. The numeric variables arereplaced and displayed in normalized expressions as the block datarblk-24 “HH:MM:SS.SSSSSS”.

The processor 13 determines that the block data blk-25 includes thenumeric variable “1”, the processor 13 further determines that the dataattribute of the string “1” represents number, and replaces the numericvariables with the representative codes corresponding to number. Thenumeric variable are replaced and displayed in normalized expressions asthe block data rblk-25 “NUM”.

The processor 13 determines that the block data blk-26 includes thenumeric variable “trace.go:116,”, the processor 13 further determinesthat the data attribute of the string“trace.go:116,” represents thetrigger program. Since the data attribute of the trigger program in theblock data blk-26 is not only simply represented by the numeric variable“116”, the processor 13 replaces the numeric variable in the string witha representative code corresponding to a general number. The numericvariable are replaced and displayed in normalized expressions as theblock data rblk-14 “trace.go:NUM,”.

The processor 13 determines that the block data blk-27 includes thenumeric variable “Trace[3365106]:”, the processor 13 further determinesthat the data attribute of the string“Trace[3365106]:” represents thetrigger trace. Since the data attribute of the trigger program in theblock data blk-27 is not only simply represented by the numeric variable“3365106”, the processor 13 replaces the numeric variable in the stringwith a representative code corresponding to a general number. Thenumeric variable are replaced and displayed in normalized expressions asthe block data rblk-27 “Trace[NUM]:”.

The processor 13 sequentially determines that the string ““Get”” of theblock data blk-28, the string“url:/api/v1/namespaces/kube-system/endpoints/kube-controller-manager”of the block data blk-29, and the string “(started:” the block datablk-30 does not include any numeric variable, the string of the blockdata blk-28˜blk-30 will not be changed, so the string ““Get””,“url:/api/v1/namespaces/kube-system/endpoints/kube-controller-manager”,and “(started:” are regarded as normalized block data rblk-28˜rblk-30.

The processor 13 determines that the block data blk-31 includes thenumeric variable “2020-04-11”, the processor 13 further determines thatthe data attribute of the string“2020-04-11” represents data, andreplaces the numeric variables in the string with the representativecodes corresponding to the year, month, and day. The numeric variablesare replaced and displayed in normalized expressions as the block datarblk-31 “YYYY-MM-DD”.

The processor 13 determines that the block data blk-32 includes thenumeric variable “3:00:09.845952954”, the processor 13 furtherdetermines that the data attribute of the string“3:00:09.845952954”represents application program time, and replaces the numeric variablesin the string with the representative codes corresponding to the hour,minute, and second in the application program time. The numericvariables are replaced and displayed in normalized expressions as theblock data rblk-32 “HH:MM:SS.SSSSSSSSS”.

The processor 13 determines that the block data blk-33 includes thenumeric variable “+0000”, the processor 13 further determines that thedata attribute of the string “+0000” represents time. Although the dataattribute of the block data blk-33 is time, since the “+0000” in theblock data blk-33 does not indicate the complete time, when the blockdata blk-33 is analyzed separately, the numeric variable “0000” has nomeaning. Therefore, the processor 13 replaces the numeric variable inthe string with the representative code corresponding to the generalnumber, and the block data rblk-33 displayed in the normalizedexpression “+NUM” after the numeric variable is replaced.

The processor 13 sequentially determines that the string “UTC” of theblock data blk-34 does not include any numeric variable, the string ofthe block data blk-34 will not be changed, so the string “UTC” isregarded as normalized block data rblk-34.

The processor 13 determines that the block data blk-35 includes thenumeric variable “m=+1458985.421484430)”, the processor 13 furtherdetermines that when the block data blk-35 is analyzed separately, thenumeric variable “1458985.421484430” has no meaning, so the processor 13replaces the numeric variables with the representative codescorresponding to number. The numeric variable are replaced and displayedin normalized expressions as the block data rblk-35 “m=+NUM.NUM)”.

The processor 13 sequentially determines that the string “(total” of theblock data blk-36 and the string “time:” of the block data blk-37 do notinclude any numeric variable, the string of the block data blk-36 andthe string of the block data blk-37 will not be changed, so the string“(total” is regarded as normalized block data rblk-36 and the string“time:” is regarded as normalized block data rblk-37.

The processor 13 determines that the block data blk-38 includes thenumeric variable “887.906026 ms):”, although the data attribute of theblock data blk-38 is time, the processor 13 determines that when theblock data blk-38 is analyzed separately, the numeric variable“887.90602” has no meaning, so the processor 13 replaces the numericvariables with the representative codes corresponding to number. Thenumeric variable are replaced and displayed in normalized expressions asthe block data rblk-38 “NUM.NUMms):”.

After the numeric variable of the block data blk-22˜blk-38 are replacedwith corresponding representative codes, the processor 13 starts thecombination process. The processor 13 determines the data integrity ofeach of the block data rblk-22˜rblk-38 starting from the first blockdata rblk-22 sequentially to the block data rblk-38 in order to confirmwhether each of the block data rblk-22˜rblk-38 has complete meaning.

The string “EPOCH” of the block data rblk-22 represents the log systemtime. The processor 13 determines that the block data rblk-22 has acomplete meaning which means the data integrity is equal to thethreshold 100%. The processor 13 generates the combinational block datacblk-22 “EPOCH” after executing the combination process on the blockdata rblk-22. The string “IMMDD” of the block data rblk-23 representsthe application program time. The processor 13 determines that the blockdata rblk-23 has a complete meaning which means the data integrity isequal to the threshold 100%. The processor 13 generates thecombinational block data cblk-23 “IMMDD” after executing the combinationprocess on the block data rblk-23. The string “HH:MM:SS.SSSSSS” of theblock data rblk-24 represents the application program time. Theprocessor 13 determines that the block data rblk-24 has a completemeaning which means the data integrity is equal to the threshold 100%.The processor 13 generates the combinational block datacblk-24“HH:MM:SS.SSSSSS” after executing the combination process on theblock data rblk-24.

The string “NUM” of the block data rblk-25 represents the number. Theprocessor 13 determines that the block data rblk-25 has a completemeaning which means the data integrity is equal to the threshold 100%.The processor 13 generates the combinational block data cblk-25 “NUM”after executing the combination process on the block data rblk-25.

The string “trace.go:NUM,” of the block data rblk-26 represents thetrigger program. The processor 13 determines that the block data rblk-26has a complete meaning which means the data integrity is equal to thethreshold 100%. The processor 13 generates the combinational block datacblk-26 “trace.go:NUM,” after executing the combination process on theblock data rblk-26. The string “Trace[NUM]:” of the block data rblk-27represents the trigger trace. The processor 13 determines that the blockdata rblk-27 has a complete meaning which means the data integrity isequal to the threshold 100%. The processor 13 generates thecombinational block data cblk-27 “Trace[NUM]:” after executing thecombination process on the block data rblk-27.

The string ““Get”” of the block data rblk-28 includes a quotation markthat will be used when describing sentences, and the string ““Get””includes two quotation marks in one sentence, it implies that themeaning of the string in the block data rblk-28 is complete, and theprocessor 13 determines that the data integrity of the block datarblk-28 is equal to the threshold 100%. The processor 13 generates thecombinational block data cblk-28 ““Get”” after executing the combinationprocess on the block data rblk-28.

The string“url:/api/v1/namespaces/kube-system/endpoints/kube-controller-manager”ofthe block data rblk-29 represents the trigger mesage. The processor 13determines that the block data rblk-29 has a complete meaning whichmeans the data integrity is equal to the threshold 100%. The processor13 generates the combinational block data cblk-29“url:/api/v1/namespaces/kube-system/ endpoints/kube-controller-manager”after executing the combination process on the block data rblk-29.

The message represented by the string “(started:” of the block datarblk-30 is incomplete, so the processor 13 determines that the dataintegrity is less than the threshold 100%. Furthermore, the string“(started:” only includes a left parenthesis in the block data rblk-30,but not a right parenthesis, so it implies that the string in the blockdata rblk-30 is not a complete sentence.

Then, the processor 13 determines that the string “YYYY-MM-DD” of theblock data rblk-31 includes year, month, and day which belong to thedate. The data integrity of the block data rblk-31 should be equal tothe threshold. However, the block data rblk-23 has recorded theapplication date of the original log data OLD3, and there should not betwo different application dates for the same log event, and the previouscontinuous block data rblk-30 is an incomplete sentence. Therefore, theprocessor 13 determines that the date of the block data rblk-31 shouldbe the date that exists in the meaning expressed by the string“(started:” of the block data rblk-30, so the processor 13 determinesthe data integrity of the block data rblk-31 is less than the threshold.Since the data integrity of the continuous block data rblk-30 andrblk-31 are less than the threshold, the processor 13 combines the blockdata rblk-30 and rblk-31, generates the combinational block data“(started: YYYY-MM-DD”, and determines the the combinational block data“(started: YYYY-MM-DD” is incomplete which means that the data integrityof the combinational block data “(started: YYYY-MM-DD” is less than thethreshold 100%, so the processor 13 continues to determine the dataintegrity of the block data rblk-32.

The string “HH:MM:SS.SSSSSSSSS” of the block data rblk-32 includes hour,minute, and second, so the string of the block data rblk-32 representsthe application program time, and the data integrity of the block datarblk-32 should be equal to the threshold. However, the block datarblk-24 has recorded the application time of the original log data OLD3,and there should not be two different application times for the same logevent, so the processor 13 determines that the time of the block datarblk-32 may be the time related to the string “(started:” of the blockdata rblk-30. The processor 13 determines that the data integrity of theblock data rblk-32 is less than the threshold, and executes thecombination process on the combinational block data “(started:YYYY-MM-DD” and the string of block data rblk-32 “HH:MM:SS.SSSSSSSSS” togenerate the combinational block data “(started: YYYY-MM-DDHH:MM:SS.SSSSSSSSS”. However, the meaning of the combinational blockdata “(started: YYYY-MM-DD HH:MM:SS.SSSSSSSSS” is still incomplete whichmeans the data integrity is less than the threshold 100%, and theprocessor 13 continues to determines the data integrity of the nextblock data rblk-33.

The string “+NUM” of the block data rblk-33 represents the generalnumber, and the processor 13 cannot determine the intended meaning ofthe block data rblk-33 based on a single string, so the processor 13determines that the data integrity is less than the threshold 100%.Under the circumstances that the data integrity of the combinationalblock data “(started: YYYY-MM-DD HH:MM:SS.SSSSSSSSS” and the dataintegrity of the block data rnlk-33 are less than the threshold (i.e.,incomplete), the processor 13 executes the combination process on thecombinational block data “(started: YYYY-MM-DD HH:MM:SS.SSSSSSSSS” andthe string “+NUM” of the block data mlk-33 to generate the combinationalblock data “(started: YYYY-MM-DD HH:MM:SS.SSSSSSSSS+NUM”, and determineswhether the data integrity of the combinational block data “(started:YYYY-MM-DD HH:MM:SS.SSSSSSSSS+NUM” is greater than or equal to thethreshold.

However, the meaning of the combinational block data “(started:YYYY-MM-DD HH:MM:SS.SSSSSSSSS+NUM ” is still incomplete which means thedata integrity is less than the threshold 100%, and the processor 13continues to determines the data integrity of the next block datarblk-34.

The string “UTC” of the block data rblk-34 represents the meaning ofCoordinated Universal Time, so there should be a time-relatedrepresentative code in the block data before or after the block datarblk-34, and the string “UTC” has no meaning when it is analyzedseparately. Therefore, the data integrity of the block data rblk-34 isless than the threshold 100%. The combinational block data “(started:YYYY-MM-DD HH:MM:SS.SSSSSSSSS+NUM” includes the time-relatedrepresentative code “HH:MM:SS.SSSSSSSSS”, so the processor 13 executesthe combination process on the combinational block data “(started:YYYY-MM-DD HH:MM:SS.SSSSSSSSS+NUM” and the string “UTC” of the blockdata rblk-34 to generate the combinational block data “(started:YYYY-MM-DD HH:MM:SS.SSSSSSSSS+NUM UTC” and to determine whether the dataintegrity of the combinational block data “(started: YYYY-MM-DDHH:MM:SS.SSSSSSSSS+NUM UTC” is greater than or equal to the threshold.

However, the meaning of the combinational block data “(started:YYYY-MM-DD HH:MM:SS.SSSSSSSSS+NUM UTC” is still incomplete which meansthe data integrity is less than the threshold 100%, and the processor 13continues to determines the data integrity of the next block datarblk-35.

The meaning of the string “m=+NUM.NUM)” of the block data rblk-35 isstill incomplete which means the data integrity of the string“m=+NUM.NUM)” is less than the threshold 100%. The string “m=+NUM.NUM)”of the block data rblk-35 only includes a right parenthesis without aleft parenthesis, so it implies that the block data rblk-35 is anincomplete sentence. Therefore, the processor 13 executes thecombination process on the combinational block data “(started:YYYY-MM-DD HH:MM:SS.SSSSSSSSS+NUM UTC” and the string “m=+NUM.NUM)” ofthe block data rblk-35 to generate the string “(started: YYYY-MM-DDHH:MM:SS.SSSSSSSSS+NUM UTC m=+NUM.NUM)” of the combinational block datacblk-30. The processor 13 determines that the string “(started:YYYY-MM-DD HH:MM:SS.SSSSSSSSS+NUM UTC m=+NUM.NUM)” of the combinationalblock data cblk-30 represents the start time, so the data integrity ofthe combinational block data cblk-30 is equal to the threshold.

It shall be noted that in order to determine which block data in theblock data rblk-22˜rblk-38 need to be combined into the combinationalblock data more quickly, the processor 13 can use the quotation marks ofthe aforementioned description sentence, or parentheses as the secondrule, and combines the string, with single quotation mark orparentheses, of the block data.

The message represented by the string “(total” of the block data rblk-36is incomplete which means the data integrity is less than the threshold100%. As mentioned above, the string “(total” of the data rblk-36 onlyincludes one left parenthesis without right parenthesis, so it impliesthat the string in the block data rblk-36 is incomplete sentence.

Next, the processor 13 determines that the string “time” of the blockdata rblk-37 represents time, but the string of the block data rblk-37does not include any time-related representative code. Thus, theprocessor 13 determines that the data integrity is less than thethreshold 100%. The processor 13 executes the combination process tocombine the strings of the block data rblk-36 and rblk-37 to generatethe combinational block data “(total time”, and determines whether thedata integrity of the combinational block data “(total time” is greaterthan or equal to the threshold.

Since the combinational block data “(total time” means the overall timeand does not include the time-related representative code, so theprocessor 13 still cannot interpret the meaning represented by thecombinational block data “(total time”. Thus, the processor 13determines that the data integrity is less than the threshold 100%, andcontinues to determine the data integrity of the block data rblk-38.

The meaning of the string “NUM.NUMms):” of the block data rblk-38 isstill incomplete which means the data integrity of the string“m=+NUM.NUM)” is less than the threshold 100%. The string “NUM.NUMms):”of the block data rblk-38 only includes a right parenthesis without aleft parenthesis, so it implies that the block data rblk-38 is anincomplete sentence. Therefore, the processor 13 executes the combineprocess on the combinational block data “(total time”, corresponding tothe block data rblk-36 and rblk-37, and the string “ NUM.NUMms):” of theblock data rblk-38 to generate the combinational block data “(total timeNUM.NUMms):”. The processor 13 determines that the combinational blockdata “(total time NUM.NUMms):” represents execution time, and the dataintegrity of the combinational block data clbk-36 is equal to thethreshold.

After finishing the combination process procedure, the processor 13 usesthe combinational block data cblk-22 to cblk-36 as a log template L3corresponding to the original log data OLD3 The log template L3 includesevent E22, event E23, event E24, event E25, event E26, event E27, eventE28, event E29, event E30, and event E36. Event E22 corresponds to thecombinational block data cblk-22. Event E23 corresponds to thecombinational block data cblk-23. Event E24 corresponds to thecombinational block data cblk-24. Event E25 corresponds to thecombinational block data cblk-25. Event E26 corresponds to thecombinational block data cblk-26. Event E27 corresponds to thecombinational block data cblk-27. Event E28 corresponds to thecombinational block data cblk-28. Event E29 corresponds to thecombinational block data cblk-29. Event E30 corresponds to thecombinational block data cblk-30. Event E36 corresponds to thecombinational block data cblk-36.

It shall appreciated that the contents of the original log data OLD1,OLD2, OLD3, the analysis method and the meaning of each of the blockdata are only examples, and are not intended to limit the presentdisclosure.

A second embodiment of the present disclosure is as shown in FIG. 6 toFIG. 8. The second embodiment is an extension of the first embodiment.In this embodiment, the memory 11 further stores a log database 112, thelog database 112 stores a plurality of recorded log templates RL1˜RL4.The recorded log template RL1 includes the event E1, E2, E3, E9, andE11. The recorded log template RL2 includes the event E1, E2, E3, E8,E9, E16, and E17. The recorded log template RL3 includes the event E10,E11, E12, E13, E14, and E15. The recorded log template RL4 includes theevent E22, E23, E24, E25, E26, E27, E28, E29, E30, and E40.

To avoid storing repeated log templates in the log database 112,resulting in a waste of storage space, after the processor 13 generatesa log template, the processor 13 compares the log template with therecorded log templates RL1˜RL4 to determine if the log database 112already stores a recorded log template the same as the currentlygenerated log template. If there is no recorded log template that is thesame as the currently generated log template in the log database 112,the processor 13 stores the log template in the log database 112.Conversely, if there is a recorded log template that is the same as thecurrently generated log template in the log database 112, the processor13 does not repeatedly store the log template in the log database 112.

For example, reference is made to FIG. 2 and FIG. 7, the processor 13compares the log template L1 with the recorded log templates RL1˜RL4 todetermine if the log database 112 already stores a recorded log templatethe same as the log template L1. The log template L1 includes the eventsE1, E2, E3, E4, E5, E6, and E9, and among the recorded log templatesRL1˜RL4 in the log database 112, there is no recorded log template whoseevent structure is the same as the log template L1, so the processor 13stores the log template L1 in the log after the comparison.

For another example, reference is made to FIG. 3 and FIG. 7, theprocessor 13 compares the log template L2 with the recorded logtemplates RL1˜RL4 to determine if the log database 112 already stores arecorded log template the same as the log template L2. The log templateL2 includes the events E10, E11, E12, E13, E14, and E15, and among therecorded log templates RL1˜RL4 in the log database 112, there is alreadya recorded log template RL3 whose event structure is the same as that ofthe log template L2, so the processor 13 will not store the log templateL2 to the log database 112 after the comparison.

For another example, reference is made to FIG. 4 and FIG. 7, theprocessor 13 compares the log template L3 with the recorded logtemplates RL1˜RL4 to determine if the log database 112 already stores arecorded log template the same as the log template L3. The log templateL3 includes the events E22, E23, E24, E25, E26, E27, E28, E29, E30, andE36, and among the recorded log templates RL1˜RL4 in the log database112, although there is a recorded log template RL4 whose event structureis roughly the same as that of the log template L3, the event containedin the recorded log template RL4 is not exactly the same as the logtemplate L3, so the processor 13 still store the log template L3 in thelog database 112 after the comparison.

In other embodiments, the processor 13 performs a numbering process onthe recorded log templates RL1˜RL4 to make each of the recorded logtemplates RL1˜RL4 correspond to a log code. The log processing device 1receives a query request message from an electronic device 2. When thequery request message includes a code of the log codes, the processor 13retrieves the recorded log template corresponding to the code of the logcodes from the log database according to the code, and transmits therecorded log template corresponding to the code to the electronic device2.

For example, reference is made to FIG. 8, the recorded log template RL1corresponds to the log code CL1, the recorded log template RL2corresponds to the log code CL2, the recorded log template RL3corresponds to the log code CL3, and the recorded log template RL4corresponds to the log code CL4. The query request message 202 sent bythe electronic device 2 contains the code CL2. After receiving the queryrequest message, the log processing device 1 searches its correspondingrecorded log template RL2 from the log database 112 according to thecode CL2, and transmits the recorded log template RL2 and the events E1,E2, E3, E8, E9, E16, and E17 included in the recorded log template RL2to the electronic device 2.

In other embodiments, the electronic device 2 stores a log database 212,and the recorded log template stored in the log database 212 is the sameas the log database 112. The log database 112 of the electronic device 2is constantly updated. Therefore, the log database 212 of the electronicdevice 2 only stores newer (for example, within the past three months)recorded log templates. If the code carried in query request messagedoes not exist in the log database 212 of the electronic device 2, theelectronic device 2 transmits the query request message to the logprocessing device 1 to obtain the recorded log template of thecorresponding code.

A third embodiment of the present disclosure is as shown in FIG. 9 toFIG. 11. The third embodiment is an extension of the second embodiment.In this embodiment, the memory 11 further stores an event database 114,i.e., the memory 11 stores both of the log database 112 and the eventdatabase 114. The event database 114 stores a plurality of recodedevents, and the combinational block data corresponding to each of therecorded events, e.g., the event E1 corresponds to the combinationalblock data cblk-1 “EPOCH”, the event E2 corresponds to the combinationalblock data cblk-2 “level=info”, the event E3 corresponds to thecombinational block data cblk-3 “ts=YYYY-MM-DDTHH:MM:SS.SSSZ” and so on.

In this embodiment, after the processor 13 of the log processing device1 generates the log template, the processor 13 needs to store all theevents of the log template into the event database 114. To avoid storingrepeated events and corresponding combinational block data in the eventdatabase 114, resulting in a waste of storage space, the processor 13compares each of the events with the recorded events after generatingthe events and storing the events and the combinational block data whichcorresponds to each of the events to the event database.

If there are no recorded events in the event database 114 that are thesame as the events contained in the currently generated log template,the processor 13 stores the events contained in the currently generatedlog template and the combinational block data which the eventscorrespond to the event database 114. Conversely, if there are recordedevents the same as the events of currently generated log template in theevent database 114, the processor 13 does not store the repeated eventsin the event database 114.

For example, reference is made to FIG. 2 and FIG. 10, after generatingthe log template L1, the processor 13 compares the events of the logtemplate L1 with the recorded events to determine whether there are anyevents in the event database 114 that are the same as those of the logtemplate L1. The log template L1 includes events E1, E2, E3, E4, E5, E6,and E9, and the event database 114 already stores the recorded E1, E2,and E3. After the comparison, the processor 13 only stores events E4,E5, E6, and E9 and their corresponding combinational block data to theevent database 114.

For another example, reference is made to FIG. 3 and FIG. 10, aftergenerating the log template L2, the processor 13 compares the events ofthe log template L2 with the recorded events to determine whether thereare any events in the event database 114 that are the same as those ofthe log template L2. The log template L2 includes events E10, E11, E12,E13, E14, and E15, and there is no recorded events the same as theevents E10, E11, E12, E13, E14, and E15. After the comparison, theprocessor 13 stores events E10, E11, E12, E13, E14, and E15 and theircorresponding combinational block data to the event database 114.

For another example, reference is made to FIG. 4 and FIG. 10, aftergenerating the log template L2, the processor 13 compares the events ofthe log template L2 with the recorded events to determine whether thereare any events in the event database 114 that are the same as those ofthe log template L2. The log template L2 includes events E10, E11, E12,E13, E14, and E15, and there is no recorded events the same as theevents E10, E11, E12, E13, E14, and E15. After the comparison, theprocessor 13 stores events E10, E11, E12, E13, E14, and E15 and theircorresponding combinational block data to the event database 114.

In other embodiments, the processor 13 performs a numbering process onthe recorded log templates to make each of the recorded log templatescorrespond to a log code, and performs the numbering process on therecorded events to make each of the events correspond to an event code.The log processing device 1 receives a query request message from anelectronic device 2. When the query request message includes a code ofthe event codes, the processor 13 retrieves the recorded eventcorresponding to the code of the event codes from the event database 114according to the code, and retrieves the recorded log template includingthe recorded event which corresponds to the code from the log database112, and transmits the recorded event corresponding to the code and therecorded log template including the recorded event which correspondingto the code to the electronic device 2.

For example, as shown in FIG. 11, the recorded log template RL1corresponds to the log code CL1, the recorded log template RL2corresponds to the log code CL2, the recorded log template RL3corresponds to the log code CL3, and the recorded log template RL4corresponds to the log code CL4. The electronic device 2 sends the queryrequest message 204 which includes a code CE2 to the log processingdevice 1. After receiving the query request message 204, the logprocessing device 1 searches the recorded event E2 corresponding to thecode CE2 and the combinational block data cblk-2 corresponding to theevent E2 in the event database 114, and transmits the recorded event E2and the combinational block data cblk-2 to the electronic device 2.

In other embodiments, the log database 212 and the event database 214 inthe electronic device 2 are constantly updated. Therefore, the logdatabase 212 of the electronic device 2 only stores newer (e.g., withinthe past three months) recorded log templates and events. When the codein the query request message does not exist in the event database 214 ofthe electronic device 2, the electronic device 2 sends the query requestmessage to the log processing device 1 to obtain the correspondingrecorded event and the recorded log template including the recordedevent.

A fourth embodiment of the present disclosure is as shown in FIG. 12 andFIG. 13. The fourth embodiment is an extension of the third embedment.In this embodiment, the memory 11 is further store a variable database116, i.e., the memory 11 stores the log database 112, the event database114, and the variable database 116, as shown in FIG. 12.

The processor 13 of the log processing device 1 determines whether apreset data attribute is included in the combinational block data. Ifthe preset data attribute exists in combinational block data, theprocessor 13 stores at least one of the events corresponding to thepreset data attribute to the variable database 116 according to thepreset data attribute. The combinational block data related to thepreset data attribute can be used to determine whether the original logdata is abnormal, so the default data attributes are usually related totime, such as: execution time, start time, end time, storage file size,storage start location, storage end position, memory start position,memory end position, network packet start position, network packet endposition, network transmission rate, network reception rate, etc., butnot limited thereto.

For example, reference is made to FIG. 2 and FIG. 13, in the aboveembodiment, among the data attributes of the combinational block datacblk-1, cblk-2, cblk-3, cblk-4, cblk-5, cblk-6, cblk-9 in the logtemplate L1, the data attribute of the combinational block data cblk-9is execution time which belongs to the preset data attribute. However,if only storing the combinational block data cblk-9 into the variabledatabase 116, the combinational block data cblk-9 cannot be used toidentify abnormalities. Therefore, it is necessary to store thecombinational block data cblk-4, cblk-5, cblk-6 which ar e related tothe execution time of the combinational block data cblk-9. Each of theevents E4, E5, E6, and E9 corresponding to the combinational block datacblk-4, cblk-5, cblk-6, and cblk-9 form the variable template V1. Thevariable template V1 records the combinational block data cblk-4,cblk-5, cblk-6, cblk-9 corresponding to the events E4, E5, E6, and E9respectively.

For example, reference is made to FIG. 3 and FIG. 13, in the aboveembodiment, there is no preset data attribute among the data attributesof the combinational block data in the log template L2. Therefore, thelog template L2 does not include any variable template. In other words,not all the log template exists a variable template.

For example, reference is made to FIG. 5 and FIG. 13, in the aboveembodiment, among the data attributes of the combinational block datacblk-22, cblk-23, cblk-24, cblk-25, cblk-26, cblk-27, cblk-28, cblk-29,cblk-30, cblk-36 in the log template L3, the data attribute of thecombinational block data cblk-30 is execution time which belongs to thepreset data attribute, and the data attribute of the combinational blockdata cblk-36 is execution time which also belongs to the preset dataattribute. Therefore, the processor 13 needs to store the combinationalblock data cblk-30, the combinational block data cblk-36, and theirrelated combinational block data cblk-22, cblk-23, cblk-24, cblk-24,cblk-26, cblk-27, cblk-28, cblk-29 to the variable database 116. Theevents E22, E23, E24, E25, E26, E27, E28, E29, E30, and E36, correspondsto the combinational block data cblk-22, cblk-23, cblk-24, cblk-25,cblk-26, cblk-27, cblk-28, cblk-29, cblk-30, and cblk-36 respectively,constitute a variable template V2. The variable template V2 records theevents E22, E23, E24, E25, E26, E27, E28, E29, E30, and E36.

A fifth embodiment of the present invention describes a log processingmethod, and a flowchart diagram thereof is as shown in FIG. 14. A logprocessing method is use in a log processing device (e.g., the logprocessing 1 described in the aforesaid embodiments). The log processingdevice includes a memory and a processor. The processor is electricallyconnected to the memory. The memory stores an original log data. The logprocessing method is executed by the processor and includes the steps asfollows.

First, in step S1402, divides the original log data into a plurality ofblock data according to a first rule. In one embodiment, the originallog data includes of a plurality of strings, the processor takes a blankbetween each of the strings as the first rule to divide the original logdata into the combinational block data.

In step S1404, transforms a numeric variable of each of the block datainto a representative code according to a data attribute of each of theblock data. In step S1406, determines whether to perform a combinationprocess for the continuous block data to generate a plurality ofcombinational block data according to a data integrity of each of theblock data. In step S1408, generates a log template corresponding to theoriginal log data, the log template comprising the combinational blockdata. Each of the combinational block data corresponds to an event.

In other embodiments, the combination process determines a dataintegrity of each of the block data according to a second rule. When thedata integrity of the at least two of the continuous block data are lessthan a threshold, combines at least two of the continuous block data.When the data integrity of one of the at least two of the continuousblock data is less than the threshold, and the data integrity of theother one of the at least two of the continuous block data is greaterthan the threshold, the processor does not combine the at least two ofthe continuous block data. In one embodiment, the second rule is asemantic analysis.

In other embodiments, the memory further stores a log database. The logdatabase stores a plurality of recorded log templates. The logprocessing method further includes the steps of: compares the logtemplate with the recorded log templates after generating the logtemplate and stores the log template to the log database.

In addition, in other embodiments, the memory further stores a logdatabase. The log database stores a plurality of recorded log templates.The log processing method further includes the steps of: performs anumbering process on the recorded log templates to make each of therecorded log templates correspond to a log code, and receives a queryrequest message from an electronic device. When the query requestmessage includes a code of the log codes, retrieves the recorded logtemplate corresponding to the code of the log codes from the logdatabase according to the code, and transmits the recorded log templatecorresponding to the code to the electronic device.

In other embodiments, except for the log database, the memory stores anevent database, and the event database stores a plurality of recodedevents. The log processing method further includes the following stepof: compares each of the events with the recorded events aftergenerating the events and stores the events and the combinational blockdata which corresponds to each of the events to the event database.

In addition, in other embodiments, the log processing method furtherincludes the following step of: performs a numbering process on therecorded log templates to make each of the recorded log templatescorrespond to a log code, performs the numbering process on the recordedevents to make each of the events correspond to an event code, andreceives a query request message from an electronic device.

In other embodiments, except for the log database and the eventdatabase, the memory further stores a variable database and the logprocessing method further comprises the following steps of: determineswhether a preset data attribute is included in the combinational blockdata, and stores at least one of the events corresponding to the presetdata attribute to the variable database according to the preset dataattribute.

In addition to the aforesaid steps, the log processing method of thepresent disclosure can also execute all the operations described in theaforesaid embodiments and have all the corresponding functions, and howthis embodiment executes these operations and has these functions basedon the aforesaid embodiments shall be readily appreciated by those ofordinary skill in the art, and thus will not be further describedherein.

According to the above description, the log data parsing mechanism ofthe present disclosure extract the events that caused the log record andanalyze the variable changes, and the method for analyzing the originallog data of the present invention does not need to be changed due to theoriginal log data of different data types. Accordingly, the log recordanalysis mechanism of the present disclosure can satisfy the analysis ofvarious complex log contents, and store the corresponding data throughdifferent database after the analysis, so that the user can quicklyidentify the original log data. In addition, through using the blockdata processing, not only the computing performance can be improved, butalso the horizontal scalability can be obtained.

Although the present disclosure has been described in considerabledetail with reference to certain embodiments thereof, other embodimentsare possible.

Therefore, the spirit and scope of the appended claims should not belimited to the description of the embodiments contained herein.

It will be apparent to those skilled in the art that variousmodifications and variations can be made to the structure of the presentdisclosure without departing from the scope or spirit of the invention.In view of the foregoing, it is intended that the present disclosurecover modifications and variations of this invention provided they fallwithin the scope of the following claims.

What is claimed is:
 1. A log processing device, comprising: a memory,being configured to store an original log data; and a processor, beingelectrically connected to the memory, and configured to performoperations comprising: dividing the original log data into a pluralityof block data according to a first rule; transforming a numeric variableof each of the block data into a representative code according to a dataattribute of each of the block data; determining whether to perform acombination process for the continuous block data to generate aplurality of combinational block data according to a data integrity ofeach of the block data; and generating a log template corresponding tothe original log data, the log template comprising the combinational logdata; wherein each of the combinational block data corresponds to anevent.
 2. The log processing device of claim 1, wherein the original logdata comprising a plurality of strings, the processor is configured totake a blank between each of the strings as the first rule to divide theoriginal log data into the combinational block data.
 3. The logprocessing device of claim 1, wherein when the processor is performs thecombination process, the processor is further configured performoperations comprising: determining, in order, a data integrity of eachof the block data according to a second rule; and combining at least twoof the continuous block data when the data integrity of the at least twoof the continuous block data are less than a threshold.
 4. The logprocessing device of claim 3, wherein the processor is furtherconfigured to perform operation comprising: when the data integrity ofone of the at least two of the continuous block data is less than thethreshold, and the data integrity of the other one of the at least twoof the continuous block data is greater than the threshold, theprocessor does not combine the at least two of the continuous blockdata.
 5. The log processing device of claim 1, wherein the second ruleis a semantic analysis.
 6. The log processing device of claim 1, whereinthe memory is further configured to store a log database, the logdatabase stores a plurality of recorded log templates, and the processoris further configured to perform operation comprising: comparing the logtemplate with the recorded log templates after generating the logtemplate and storing the log template to the log database.
 7. The logprocessing device of claim 6, wherein the processor is furtherconfigured to perform operations comprising: performing a numberingprocess on the recorded log templates to make each of the recorded logtemplates correspond to a log code; receiving a query request messagefrom an electronic device; and when the query request message comprisinga code of the log codes, retrieving the recorded log templatecorresponding to the code of the log codes from the log databaseaccording to the code, and transmitting the recorded log templatecorresponding to the code to the electronic device.
 8. The logprocessing device of claim 6, wherein the memory is further configuredto store an event database, the event database stores a plurality ofrecoded events, and the processor is further configured to performoperation comprising: comparing each of the events with the recordedevents after generating the events and storing the events and thecombinational block data which corresponds to each of the events to theevent database.
 9. The log processing device of claim 8, wherein theprocessor is further configured to perform operation comprising:performing a numbering process on the recorded log templates to makeeach of the recorded log templates correspond to a log code; performingthe numbering process on the recorded events to make each of therecorded events correspond to an event code; receiving a query requestmessage from an electronic device; and when the query request messagecomprising a code of the event codes, retrieving the recorded eventcorresponding to the code of the event codes from the event databaseaccording to the code, retrieving the recorded log template includingthe recorded event which corresponds to the code from the log database,and transmitting the recorded event corresponding to the code and therecorded log template including the recorded event which correspondingto the code to the electronic device.
 10. The log processing device ofclaim 8, wherein the memory is further configured to store a variabledatabase, and the processor is further configured to perform operationcomprising: determining whether a preset data attribute is included inthe combinational block data; and storing at least one of the eventscorresponding to the preset data attribute to the variable databaseaccording to the preset data attribute.
 11. A log processing method fora log processing device, the log processing device comprising a memoryand a processor, the memory being configured to store an original logdata, the log processing method being executed by the processor andcomprising: dividing the original log data into a plurality of blockdata according to a first rule; transforming a numeric variable of eachof the block data into a representative code according to a dataattribute of each of the block data; determining whether to perform acombination process for the continuous block data to generate aplurality of combinational block data according to a data integrity ofeach of the block data; and generating a log template corresponding tothe original log data, the log template comprising the combinationalblock data; wherein each of the combinational block data corresponds toan event.
 12. The log processing method of claim 11, wherein theoriginal log data comprising of a plurality of strings, the processor isconfigured to take a blank between each of the strings as the first ruleto divide the original log data into the combinational block data. 13.The log processing method of claim 11, wherein when the processor isconfigured to perform the combination process, the log processing methodfurther comprises: determining, in order, a data integrity of each ofthe block data according to a second rule; and combining at least two ofthe continuous block data when the data integrity of the at least two ofthe continuous block data are less than a threshold.
 14. The logprocessing method of claim 13, further comprising: when the dataintegrity of one of the at least two of the continuous block data isless than the threshold, and the data integrity of the other one of theat least two of the continuous block data is greater than the threshold,the processor does not combine the at least two of the continuous blockdata.
 15. The log processing method of claim 13, wherein the second ruleis a semantic analysis.
 16. The log processing method of claim 11,wherein the memory is further configured to store a log database, thelog database stores a plurality of recorded log templates, and the logprocessing method further comprises: comparing the log template with therecorded log templates after generating the log template and storing thelog template to the log database.
 17. The log processing method of claim16, further comprising: performing a numbering process on the recordedlog templates to make each of the recorded log templates correspond to alog code; receiving a query request message from an electronic device;and when the query request message comprising a code of the log codes,retrieving the recorded log template corresponding to the code of thelog codes from the log database according to the code, and transmittingthe recorded log template corresponding to the code to the electronicdevice.
 18. The log processing method of claim 16, wherein the memory isfurther configured to store an event database, the event database storesa plurality of recoded events, and the log processing method furthercomprises: comparing each of the events with the recorded events aftergenerating the events and storing the events and the combinational blockdata which corresponds to each of the events to the event database. 19.The log processing method of claim 18, further comprising: performing anumbering process on the recorded log templates to make each of therecorded log templates correspond to a log code; performing thenumbering process on the recorded events to make each of the recordedevents correspond to an event code; receiving a query request messagefrom an electronic device; and when the query request message comprisinga code of the event codes, retrieving the recorded event correspondingto the code of the event codes from the event database according to thecode, retrieving the recorded log template including the recorded eventwhich corresponds to the code from the log database, and transmittingthe recorded event corresponding to the code and the recorded logtemplate including the recorded event which corresponding to the code tothe electronic device.
 20. The log processing method of claim 19,wherein the memory is further configured to store a variable database,and the log processing method further comprises: determining whether apreset data attribute is included in the combinational block data; andstoring at least one of the events corresponding to the preset dataattribute to the variable database according to the preset dataattribute.